Are Privacy Clouds Far Off?

New identity protocols continue to propagate the risk landscape, some more open and de-linked from specific transactions like payments, others deeply embedded in payment schemes, such as EMV. The newest of these open, P2P protocols (actually a complete scheme) in pilot is Identity Mixer from IBM Research Zurich.

In January IBM Research (IBM) announced its plan for Identity Mixer as a cloud-based technology designed to help consumers better protect data online, including heath records, location data, and credit card numbers, by enabling a precise choice over which data to share, and with whom, without an identity settlement system in the middle of the interaction. Identity Mixer uses a cryptographic algorithm to encrypt the certified identity attributes of a user, in a way that allows the user to reveal only selected pieces via authenticated credentials to third parties. Identity Mixer is designed to be used in digital wallet, with credentials certified by a commercial or government trusted third party. The scheme is designed so the issuer of the credentials will have no knowledge of how and when the credentials are being used as the protocol has no reliance on a centralized, identity/credential settlement system or relying party, as designed into the U2F and UAF specification of the FIDO Alliance.

[Sounding familiar yet?]

For example, a financial advisor could use Identity Mixer to trust the relationship between an investor and his/her account without disclosing the investors’ name or account details. Or, a lender could trust the employment status and pay grade of a loan applicant without requiring knowledge of the employer or salary. Use cases for delivering medical and health data privacy and IoT security are also in test. IBM, NEC Europe, and Tunstall Healthcare are currently in pilot using Identity Mixer to deliver tailored social care services including emergency services, assisted mobility, housekeeping and nursing assistance. The pilot works like this:

Test participants in the southwest of Germany will be equipped with sensors for in-home activity and status monitoring. The data gathered from these sensors will be transferred to a dedicated cloud server, where activity data will be analyzed to what level of assistance is required.

Field services representatives will be provided with a mobile device to collect and register sensitive customer data, medical records, medication, and family contacts, to establish a service contract. Identity Mixer will be used to keep all of this data confidential and private.

According to IBM, Identity Mixer is available as a set of strong cryptographic tools to developers and a Bluemix web service. Beginning later this year, Bluemix subscribers will be able to use Identity Mixer within their own applications and web services.

A few other IDCer’s and I are scheduled for deeper dive from IBM Research into later this month, and we’re in contact with NEC Europe to better understand their contributions and perspectives. A few questions we hope to discuss are: Can digital identity and privacy be made as practical as envisioned by Identity Mixer? What are the attributes of an optimal use case? Do the practicalities of privacy preserving digital credentials work for or against the public’s desire to balance privacy, personalization, and convenience? Will there be any impact on mobile OEMs and one-tap identity system developers? How do privacy risk models change in P2P systems?

If you have questions you’d like for us to include, send them along to mversace@idc.com or through twitter at @versace57.

Users interested in seeing a live demo of Identity Mixer in the cloud can visit https://idemixdemo.mybluemix.net/. In the demo you are Alice and you want to download a movie, but first you need to prove you are old enough. identity Mixer allows Alice to prove her age without releaving any personal data.